Replies: 5 comments 3 replies
-
I ran into the code and found out that if the error returned belongs to userInfo, err := connect.UserInfo(client, token)
if err != nil {
var sErr *social.Error
if errors.As(err, &sErr) {
hs.handleOAuthLoginErrorWithRedirect(ctx, loginInfo, sErr)
} else {
hs.handleOAuthLoginError(ctx, loginInfo, LoginError{
HttpStatus: http.StatusInternalServerError,
PublicMessage: fmt.Sprintf("login.OAuthLogin(get info from %s)", name),
Err: err,
})
}
return
} |
Beta Was this translation helpful? Give feedback.
-
This is still the case with Grafana 8.4.2. The screen shows "Server error" as per first post above. Logs show:
Relevant config:
This works fine as long as the user has one of those roles, but if this expression returns nil or empty string, the "Sadly something went wrong" message is displayed. I think the current error message is fine if there is an error evaluating the JMESPath expression. However if the expression is valid and returns nil or empty string then it would be much better if Grafana could display a page saying "Sorry, you are not authorized to access this application" or similar. The status code should be 403 not 500. |
Beta Was this translation helpful? Give feedback.
-
any update on this from Grafana team? |
Beta Was this translation helpful? Give feedback.
-
I re-checked with Grafana 10.1.1 and What I found was:
In summary, I think the UI is now a bit better for unauthorized users than it used to be, as it's not showing a server error, but it still suggests that there's an IdP configuration error - as opposed to the user being at fault, by trying to access something they're not allowed to. I would like to have a way to tell the user definitively "You are not authorized to access this application". To me it seems like a null/empty return from
|
Beta Was this translation helpful? Give feedback.
-
Hello, as you may have heard, we are transitioning away from using discussions to discuss feature requests. We are migrating this discussion to an issue and closing the discussion. The issue is #82971. Feel free to continue the discussion around this there. Thank you! |
Beta Was this translation helpful? Give feedback.
-
What happened:
When the configuration is set as above and the user info of the logged-in user does not match the
role_attribute_path
androle_attribute_strict
is enabled, the user interface is shown as follows:Actually, I expect it not to be a server error but an authentication failure.
What you expected to happen:
My expected behavior is a better UX such as 403 Forbidden, or a custom redirect URL, etc. instead of just showing server error and separating the error of invalid attribute path and authentication failure.
How to reproduce it (as minimally and precisely as possible):
Please see above.
Anything else we need to know?:
N/A
Environment:
Beta Was this translation helpful? Give feedback.
All reactions